[rpms/postsrsd] epel10: switch to using postsrsd.domains as default rewrite domain, so that default config works

[rpms/postsrsd] epel10: switch to using postsrsd.domains as default rewrite domain, so that default config works

[David Beveridge]

A new commit has been pushed.

Repo   : rpms/postsrsd
Branch : epel10
Commit : 422f3ee27cd162ef6cecef3e9aed7dad150f55d6
Author : David Beveridge <dave@bevhost.com>
Date   : 2026-06-07T05:50:06+10:00
Stats  : +86/-49 in 4 file(s)
URL    : https://src.fedoraproject.org/rpms/postsrsd/c/422f3ee27cd162ef6cecef3e9aed7dad150f55d6?branch=epel10

Log:
switch to using postsrsd.domains as default rewrite domain, so that default config works

---
diff --git a/postsrsd.conf b/postsrsd.conf
index 99c67b2..a112c4c 100644
--- a/postsrsd.conf
+++ b/postsrsd.conf
@@ -1,5 +1,5 @@
 # PostSRSd example configuration file
-# Copyright 2022 Timo Röhling
+# Copyright 2022-2023 Timo Röhling
 # SPDX-License-Identifier: FSFUL
 #
 # The copyright holder gives unlimited permission to copy, distribute and modify
@@ -11,17 +11,19 @@
 # Example:
 #     domains = { "example.com", "example.org", "example.net" }
 #
-domains = {}
+#domains = {}
 
 # Local domains (file storage)
 # Instead of listing your local domains directly, you can also write them to a
 # file and have PostSRSd read it. This is particularly useful if you have a
-# large number of domains for which you need to act as mail forwarder.
+# large number of domains for which you need to act as mail forwarder. PostSRSd
+# reads this file before it chroots and drops root privileges. The file format
+# is one domain per line.
 #
 # Example:
 #     domains-file = "/etc/postsrsd.domains"
 #
-#domains-file =
+domains-file = "/etc/postsrsd.domains"
 
 # Dedicated SRS rewrite domain.
 # The local domain which is used to create the ephemeral SRS envelope
@@ -38,7 +40,8 @@ domains = {}
 # Traditionally, PostSRSd interacts with Postfix through the canonicalization
 # lookup tables of the cleanup daemon. If you use a unix socket, be aware that
 # most Postfix instances will jail their cleanup daemon in a /var/spool/postfix
-# chroot, so no other path will be visible to them.
+# chroot, so no other path will be visible to them. Unix sockets are created
+# before PostSRSd chroots and drops root privileges.
 #
 # Examples:
 #     socketmap = unix:/var/spool/postfix/srs
@@ -58,7 +61,8 @@ keep-alive = 30
 
 # Milter endpoint for MTA integration.
 # PostSRSd can act as a milter to rewrite envelope addresses if it has been
-# built with milter support.
+# built with milter support. Unix sockets are created before PostSRSd chroots
+# and drops root privileges.
 #
 # Examples:
 #     milter = unix:/var/spool/postfix/srs_milter
@@ -90,14 +94,14 @@ original-envelope = embedded
 # used. The option is ignored if original-envelope is set to "embedded". Also
 # note that PostSRSd needs to be built with SQLite or Redis support for this.
 #
-# Also note that you need to put the SQLite database into the chroot directory
-# if you jail PostSRSd; otherwise, the database file will not be accessible.
+# PostSRSd reads this database after it chroots and drops root privileges, so
+# the actual filename is the chroot directory joined with this filename.
 #
 # Examples:
+#     envelope-database = "sqlite:./senders.db"
 #     envelope-database = "redis:localhost:6379"
 #
-# Note from the packager:
-#   currently we're using /run to setup the database, but with the above requirement that mean a SQLite database is not possible as /run is not permanent
+#envelope-database = "sqlite:./senders.db"
 
 # Secret keys for signing and verifying SRS addresses.
 # Rewritten addresses are tagged with a truncated HMAC-SHA1 signature, to
@@ -107,7 +111,11 @@ original-envelope = embedded
 # signatures will always be generated with the first configured secret.
 #
 # For security reasons, you should also make sure that the file is owned and
-# only accessible by root (chmod 600).
+# only accessible by root (chmod 600). PostSRSd reads this file before it
+# chroots and drops root privileges.
+#
+# Example:
+#     secrets-file = "/etc/postsrsd.secret"
 #
 secrets-file = "/etc/postsrsd.secret"
 
@@ -149,21 +157,33 @@ hash-minimum = 4
 always-rewrite = off
 
 # Execute PostSRSd as unprivileged user
-# If you set this highly recommended option, PostSRSd will drop root
-# privileges and switch to the configured user before it enters the main loop
-# to handle untrusted input.
+# Drop root privileges and run as this user before entering the main loop and
+# handling untrusted input. To prevent PostSRSd from changing users, set this to
+# the empty string.
+#
+# Example:
+#     unprivileged-user = "nobody"
 #
 unprivileged-user = "nobody"
 
 # Execute PostSRSd in chroot jail
-# If you set this highly recommended option, PostSRSd will jail itself
-# in the given directory, which adds an additional layer of protection
-# against the exploitation of security bugs in PostSRSd.
+# PostSRSd will jail itself in the given directory, which adds an additional
+# layer of protection against the exploitation of security bugs in PostSRSd. To
+# prevent PostSRSd from chrooting, set this to the empty string.
 #
-chroot-dir = "/run/postsrsd"
+# Example:
+#     chroot-dir = "/var/lib/postsrsd"
+#
+chroot-dir = "/var/lib/postsrsd"
 
 # Syslog
 # PostSRSd writes log messages to stderr. If you enable this option, PostSRSd
 # will also send all messages to the syslog mail facility.
 #
 syslog = off
+
+# Debug
+# This option makes PostSRSd more verbose in its logging, which can be useful
+# to hunt down configuration problems.
+#
+debug = off

diff --git a/postsrsd.pp b/postsrsd.pp
new file mode 100644
index 0000000..c4d81dd
Binary files /dev/null and b/postsrsd.pp differ

diff --git a/postsrsd.spec b/postsrsd.spec
index 9128c31..ad4f97d 100644
--- a/postsrsd.spec
+++ b/postsrsd.spec
@@ -1,4 +1,4 @@
-%global build_options -DGENERATE_SRS_SECRET=OFF -DUSE_SELINUX=ON -DINIT_FLAVOR=systemd
+%global build_options -DFETCHCONTENT_TRY_FIND_PACKAGE_MODE=ALWAYS -DFETCHCONTENT_FULLY_DISCONNECTED=ON -DTESTS_WITH_ASAN=OFF
 
 %undefine __cmake_in_source_build
 
@@ -7,24 +7,27 @@ Version:        2.0.11
 Release:        1%{?dist}
 Summary:        Sender Rewriting Scheme (SRS) provider
 
-License:        GPLv2+
+License:        GPL-3.0-only BSD-3-Clause FSFAP FSFUL
 URL:            https://github.com/roehling/postsrsd
 Source0:        https://github.com/roehling/%{name}/archive/%{version}/%{name}-%{version}.tar.gz
-Source1:        postsrsd.conf
+Source1:	postsrsd.conf
+Source2:        postsrsd.pp
 
-BuildRequires: make
+Requires:	libconfuse
+BuildRequires:     make
 BuildRequires:     cmake
 BuildRequires:     gcc
 BuildRequires:     help2man
 BuildRequires:     selinux-policy-devel
 BuildRequires:     libconfuse-devel
+BuildRequires:     check-devel
+BuildRequires:     libasan
 %{?systemd_requires}
 BuildRequires:     systemd
 Requires(post):    policycoreutils
 Requires(preun):   policycoreutils
 Requires(postun):  policycoreutils
 
-
 %description
 PostSRSd provides the Sender Rewriting Scheme (SRS) via TCP-based lookup tables for Postfix.
 SRS is needed if your mail server acts as forwarder.
@@ -32,53 +35,43 @@ SRS is needed if your mail server acts as forwarder.
 
 %prep
 %autosetup -n %{name}-%{version}
-%if (0%{?rhel} && 0%{?rhel} < 8)
-mkdir build
-cd build && %cmake .. %build_options
-%else
 %cmake %build_options
-%endif
 
 
 %build
-%if (0%{?rhel} && 0%{?rhel} < 8)
-%make_build -C build
-%else
 %cmake_build
-%endif
-
+%ctest
 
 %install
-%if (0%{?rhel} && 0%{?rhel} < 8)
-%make_install -C build
-%else
 %cmake_install
-%endif
+
+install -m 644 README.rst CHANGELOG.rst %{buildroot}/%{_docdir}/%{name}/
 
 # %%ghost file requires it is present in the build root
 touch %{buildroot}/%{_sysconfdir}/postsrsd.secret
 
-# proper location for systemd config
-mkdir -p %{buildroot}/%{_unitdir}
-mv %{buildroot}/%{_sysconfdir}/systemd/system/postsrsd.service %{buildroot}/%{_unitdir}/postsrsd.service
-rm -rf %{buildroot}/%{_sysconfdir}/systemd
+# config file can work without modification
+cp %{SOURCE1} %{buildroot}/%{_sysconfdir}/postsrsd.conf
+
+# user nobody already exists
+rm -f %{buildroot}/%{_sysusersdir}/postsrsd.conf
 
-# default configuration and chroot directory
-cp %{SOURCE1} %{buildroot}/%{_sysconfdir}/
-sed -ri -e "s/(\[Install\])/RuntimeDirectory=postsrsd\nRuntimeDirectoryMode=0750\n\n\1/" %{buildroot}/%{_unitdir}/postsrsd.service
+# Runtime Directory
+mkdir -p %{buildroot}/%{_sharedstatedir}/%{name}
 
+# selinux policy
+mkdir -p %{buildroot}/%{_datadir}/selinux/packages/%{name}
+cp %{SOURCE2} %{buildroot}/%{_datadir}/selinux/packages/%{name}/postsrsd.pp
 
 %files
-%license LICENSE
+%license LICENSES/*
 %ghost %{_sysconfdir}/postsrsd.secret
 %config(noreplace) %{_sysconfdir}/postsrsd.conf
 %{_unitdir}/postsrsd.service
 %{_sbindir}/postsrsd
-%{_docdir}/%{name}
-%{_mandir}/man8/postsrsd.8.gz
+%doc %{_docdir}/%{name}
+%{_sharedstatedir}/%{name}
 %{_datadir}/selinux/packages/%{name}/postsrsd.pp
-%{_datadir}/postsrsd/postsrsd-systemd-launcher
-
 
 %post
 if [ "$1" -le "1" ] ; then  # first install
@@ -89,6 +82,11 @@ fi
 # the admin may modify / restore from a backup, so better restore SELinux permissions unconditionally
 restorecon %{_sysconfdir}/postsrsd.secret
 %systemd_post %{name}.service
+# default value of local domain that will not be rewritten by srs and serve as the default domain to write other domains to.
+if [ ! -f /etc/postsrsd.domains ]; then
+hostname > /etc/postsrsd.domains
+chmod 640 /etc/postsrsd.domains
+fi
 
 
 %preun
@@ -109,6 +107,9 @@ fi
 
 
 %changelog
+* Sun Jun 07 2026 David Beveridge <dave@bevhost.com> - 2.0.11-1
+- First working 2.x release
+
 * Fri Jan 26 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.2-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
 

diff --git a/postsrsd.te b/postsrsd.te
new file mode 100644
index 0000000..3b982b4
--- /dev/null
+++ b/postsrsd.te
@@ -0,0 +1,16 @@
+
+module postsrsd 1.0;
+
+require {
+	type postfix_spool_t;
+	type postfix_cleanup_t;
+	type unconfined_service_t;
+	class unix_stream_socket connectto;
+	class sock_file write;
+}
+
+#============= postfix_cleanup_t ==============
+
+#!!!! This avc is allowed in the current policy
+allow postfix_cleanup_t postfix_spool_t:sock_file write;
+allow postfix_cleanup_t unconfined_service_t:unix_stream_socket connectto;